Dear readers,a long time passed since my last post and even more things changed in my life.My "blue team" perspective has changed to the viewpoint of an internal auditor - and upcoming posts will probably reflect this… life remains exciting. 😎

In the following we'll take a look at customer name ranges in SAP and how to use them to move things like malicious code out of the sight of security people and… well… auditors.

First of all:Customer-created objects in SAP do not always start with Y* and Z*.There are many more possibilities.

Let's start with some obvious things: Workbench objects in SAP (custom reports, tables, transaction codes, function modules, and many more) may not be named arbitrarily. They are bound to name ranges, which SAP designated for customer developments.SAP Note 16466 - "Customer name range for SAP objects" gives a list of allowed name ranges per object type (yes: different types have different allowed name ranges).

In this post, we'll focus on some of the types, which are interesting for an attacker and allow data manipulation or implementing backdoors, etc.: ABAP reports (obvious!), tables (just because), and transaction codes (e.g. to bypass S_PROGRAM checks).Let's see what the above mentioned SAP note 16466 says about the allowed customer name ranges for these objects:

[except from the SAP note]

SAP adds in a strict but benevolent tone:"It is essential that you always adhere to the SAP naming conventions. Serious problems may otherwise result during the next upgrade (the upgrade overwrites customer objects)."We'll come back to that later.

It's time to dive deeper: when you try to create - for example - a new report in the ABAP workbench, a function module is called in the background that checks the specified name for its compliance with the allowed name ranges.The relevant FM is TRINT_GET_NAMESPACE and it differentiates between 3 types of object names:

Customer,

Partner, and

SAP-reserved

For objects in the partner and SAP-reserved name ranges, you need an object key to create them - we won't discuss them here.The actually allowed names can be found in the FM's source code (which is pasta long and has grown for many years).I'll quickly summarize it for our 3 examples (reports, tables, and transaction codes) here:

Table names in this range are checked against the exception
table TDKZ. If no entry is found, the name belongs to the
customer name range.
Table TDKZ usually contains the entries listed in the second
last line of this table.

J_
TJ

Partner

Old partner namespace;
TJ-tables only for 2.2-compatibility

T9COM
T9DEV
T9PRO
ZCXCB
ZCXCM
ZHLB1
ZHLG1
ZHLG2
ZIS_FORM

SAP-reserved

These table names are SAP-reserved as per the exception table TDKZ.

( all others )

SAP-reserved

→ Transaction codes

Name starts with...

Name range

Remarks by SAP

Y
Z
+

Customer

Old customer namespace

J

Partner

Old partner namespace

( all others )

SAP-reserved

So we have a whopping 47 name ranges to choose from for our next malicious report! … and hardly any auditor will ever identify a program called MSTHRP9INT as a customer-developed one.To be even more sure, you could also fake the report's "creator" easily (more on this in my next post).

Now back to SAP's stern statement on what happens, when you're not nice and use name ranges not listed in Note 16466:First of all, I doubt it - but didn't check it myself. Since the FM TRINT_GET_NAMESPACE is used by every workbench-related functionality in the ABAP-stack, I would assume that all ABAP code, which is called during an update also uses the same logic. The command line tools (tp, R3trans …) are usually synced with their ABAP pendants, so they'll probably perform very similar checks as well.And secondly, it doesn't really matter. Most attackers would probably do, what they intended to do, once they have compromised an SAP system in such a way. There's no need to wait a long time and then come back… and persistence inside a victim's network can be achieved in more reliable ways and with less traces to cover.

Happy hunting and see you! 😀

PS: Just to prevent confusion - this post is about "name ranges", not "namespaces" like /SNAKEOIL.